drsh0's llog

Vulnhub – Funbox Rookie

December 10, 2020

URI: https://www.vulnhub.com/entry/funbox-2-rockie,520/ Difficulty: Easy

Boot2Root ! This can be a real life scenario if rockies becomes admins. Easy going in round about 15 mins. Bit more, if you are find and stuck in the rabbit-hole first.

enumeration

nmap
find anon ftp access
get all zip files – they contain id_rsa keys but are password protected

initial access

use /usr/sbin/zip2john to get hashes of all zip files
use john to crack these hashes using your favourite wordlist
user tom's zip file could be successfully cracked
extract id_rsa with password
chmod 600 id_rsa && ssh -i id_rsa $VulnHubIP -v
we're in 🔓
grab local.txt

privesc

sudo -l – prompted for tom's password which we don't have yet
check all files in directory ls -la
investigate .bash_history and .mysql_history
looks like we see a password in mysql history
we have excessive sudo privileges
sudo su -l and grab proof.txt 🔚

#vulnhub #ssh #sudo